locked
Give windows (local group=users) user permission to change others same group users password. RRS feed

  • Question

  • Hi,

    We have windows 2008 R2 server in our environment and my requirement is :

    We have a local user which name is "opsuser". opsuser is a part of local "users" group and i want to give him permission to change other users password who are also part of same local users group.

    Kindly help.

    Thanks in advance.

    Regards

    Aadi

    Tuesday, March 20, 2012 9:54 PM

Answers

  • Hi,

    Thanks for your post.

    According to your description, you want to allow a local normal user to change user’s password. As far as I know, we need to add the user to the administrators group before can reset other user’s password. Your understanding is highly appreciated. However, for a domain environment, you can delegate the reset password permission to a user or group object in AD.

    You can follow the steps blow to verify whether the user has "reset password" permission on a specific domain object.

    1. Start the ADUC on Windows 2008 Server's Administrative Tools.
    2. Right-click the container or object that you want to check this permission to.
    3. Click the Security tab.
    4. Click Advanced.
    5. Click Effective Permissions, and then specify the user or group that you want to check this right to.
    6. Check the following Effective permission list to see if the regular user has "Reset Password" permission on this object.

    For more detailed information, please refer to the following thread.

    Allow Help Desk to ONLY reset user passwords
    http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/3f0dbf8e-636b-45fe-93db-f788d5b976fd/


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    • Proposed as answer by Aiden_Cao Tuesday, March 27, 2012 1:31 AM
    • Marked as answer by Aiden_Cao Wednesday, March 28, 2012 1:13 AM
    Wednesday, March 21, 2012 9:37 AM

All replies

  • Hi,

    Thanks for your post.

    According to your description, you want to allow a local normal user to change user’s password. As far as I know, we need to add the user to the administrators group before can reset other user’s password. Your understanding is highly appreciated. However, for a domain environment, you can delegate the reset password permission to a user or group object in AD.

    You can follow the steps blow to verify whether the user has "reset password" permission on a specific domain object.

    1. Start the ADUC on Windows 2008 Server's Administrative Tools.
    2. Right-click the container or object that you want to check this permission to.
    3. Click the Security tab.
    4. Click Advanced.
    5. Click Effective Permissions, and then specify the user or group that you want to check this right to.
    6. Check the following Effective permission list to see if the regular user has "Reset Password" permission on this object.

    For more detailed information, please refer to the following thread.

    Allow Help Desk to ONLY reset user passwords
    http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/3f0dbf8e-636b-45fe-93db-f788d5b976fd/


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    • Proposed as answer by Aiden_Cao Tuesday, March 27, 2012 1:31 AM
    • Marked as answer by Aiden_Cao Wednesday, March 28, 2012 1:13 AM
    Wednesday, March 21, 2012 9:37 AM
  • Hi Aiden,

    Many thanks for your reply, The server is not joined to any domain server and its only a application server so i want to give permission to my one user to change other users password i don't want to give him admin rights also.

    Is there any solution for this requirement.

    Regards

    Aadi.

    Wednesday, March 21, 2012 2:53 PM
  • Hi Aadi,

    As I said before, for a standalone server, we must have the administrator right to reset other user’s password. Your understanding is appreciated.


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    Friday, March 23, 2012 6:07 AM